The UK has fined Facebook $645,000 over Cambridge Analytica’s data harvesting practices, which exploited the data of 87 million users of the social network.
That represents a gnat bite for the tech giant, which generated $5.1 billion in net profit in the second quarter of the year. However, the amount is the maximum penalty available to the UK’s Information Commissioner’s Office (ICO) under 1998’s Data Protection Act.
“But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty,” noted the regulator.
The UK’s updated Data Protection Act 2018, which implements the EU’s GDPR rules, stipulates a maximum fine of 4 percent of annual global turnover ($1.6 billion in Facebook’s case); but, it wasn’t in place at the time of the Cambridge Analytica activities.
The ICO’s 27-page penalty notice [PDF] found that Facebook failed to protect users by allowing a third-party application to hand over the data of millions of platform users to Cambridge Analytica – a consulting group that took that information to conduct elaborate social engineering efforts to sway votes for various high-profile political campaigns, including that of President Donald Trump.
The ICO noted that Facebook APIs gave developers access to user data without requiring clear and proper consent for several years, between 2007 and 2014; and, that once Facebook discovered that developers could use that loophole to harvest data in 2015 and subsequently eliminated it, the ICO said Facebook did not take sufficient action to ensure that any skimmed data was deleted.
While the investigation also concluded that it did not have any specific evidence that British users’ social-media data was shared with Cambridge Analytica, the lack of data-handling controls alone warrants the penalty.
The ICO had said in July that it intended to level the maximum fine in payment for potential damage done to Facebook UK users; Information Commissioner Elizabeth Denham in a media statement on Tuesday reiterated that Facebook “should have known better and it should have done better.”
She added, “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,” she said.
“We are currently reviewing the ICO’s decision,” Facebook said in a media statement. “While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.”
It added, “We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”